Solved: AmMap with Maxmind is showing wrong location on th...

ranjyotiprakash · ‎07-12-2012

I have developed a Splunk App which generates the reports based upon the Barracuda Web Application Firewall logs. I have a dashboard which has amMap flash map to show the location of clien_ip present in the logs. But, the map is showing incorrect location for the client_ip.

The log is :
Jul 11 08:57:07 barracuda 2012-07-11 08:57:07.381 -0400 "-" WF ALER SQL_INJECTION_IN_URL [type="sql-injection-medium" pattern="sql-comments" token="/"]69.61.11.227[type="sql-injection-medium" pattern="sql-comments" token="/"] 54067 66.66.119.52 80 DENY NONE [type="sql-injection-medium" pattern="sql-comments" token="/"] GET 66.66.119.52/nawal/ HTTP 69.61.11.227 54067

The client_ip field is in bold.
69.61.11.227 is from India But, on map it is showing Saint Louis, United States.

I searched on web for the location of this client_ip and getting India as the result. But, on Map it is coming as Saint Louis, United States.

I have downloaded and installed the MAXMIND add on from this link link text, and AmMap from
link text.

I am using the following search string

Is there any way to update the MAXMIND database, which looks up for the geo location.

Please help...
Thanks ...

Vince246 · ‎07-12-2012

Rprakash,

"GeoLite Country and GeoLite City are free IP geolocation databases, updated on the first Tuesday of each month", source: Maxmind web site (http://www.maxmind.com/app/geolite).

Get the new file:
http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz, unzip it.
Replace your GeoIPLightCity.dat file with this new one.
On my spunk server (MAcOSx) this file is in /Applications/splunk/etc/apps/MAXMIND/bin/

Regards, Vince

View solution in original post

Vince246 · ‎07-12-2012

Rprakash,

"GeoLite Country and GeoLite City are free IP geolocation databases, updated on the first Tuesday of each month", source: Maxmind web site (http://www.maxmind.com/app/geolite).

Get the new file:
http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz, unzip it.
Replace your GeoIPLightCity.dat file with this new one.
On my spunk server (MAcOSx) this file is in /Applications/splunk/etc/apps/MAXMIND/bin/

Regards, Vince

ranjyotiprakash · ‎07-12-2012

Hi Vince,

Thanks for your reply. I will try replacing the GeoLiteCity.dat file with the newly dowmloaded GeoLiteCity.dat.

Regards,
RPrakash

Vince246 · ‎07-12-2012

Helo,

try running the same search omitting the "| mapit". This way you will see the location in writing.
I've seen this type of symptoms when the "home_threat_data.xml" file could not be overwritten by the script.
When that happens, the map you see is the result of a previous search. In this case, you need to manually delete the XML file before running the mapit search again.

Another comment: Maxmind database is good and better than most but cannot always be accurate. In some instances if it does not know a location for that IP, it will map it to the headquarters of the ISP/ IP range owner. There is nothing to do about this.

Regards, Vince

ranjyotiprakash · ‎07-12-2012

Hi Vince,

I ran the search without "mapit" even in that case also I am getting the same result

Client_City - Saint Louis

Client Country - United States.

Is there any way to update the database of maxmind addon ?
How that can be done ?

Thanks,
rprakash

AmMap with Maxmind is showing wrong location on the map ?

Index This | How many sides does a circle have?

New This Month - Splunk Observability updates and improvements for faster ...

What's New in Splunk Cloud Platform 9.3.2411?